Configuring ADFS for Admin SAML Single Sign-On

Configuring ADFS for Admin SAML Single Sign-On

This example illustrates how to configure a Windows Server 2008 R2 running SAML 2.0 ADFS as an IdP for the Zscaler service to enable SAML single sign-on for your organization's admins. It assumes that ADFS 3.0 is already installed on the Windows server. Refer to the Windows ADFS documentation for additional information about the steps in the example. Below are relevant technical attributes:

ACS URL: https://admin.<cloud_name>/adminsso.do

For example, if your cloud is zscalerone.net, https://admin.zscalerone.net/adminsso.do would be your ACS URL. To learn how you can find your cloud name, see What is my cloud name?

Hashing algorithms: AES-1 and AES-256

Prerequisites

Below are the prerequisites for configuring the ADFS server:

ADFS account with admin privileges

Admin accounts created for your organization's admins. To learn more, see Add Admins.

Configuration Steps

To add the Zscaler service to ADFS, go to Start > ADFS Management 2.0 to launch the ADFS management application and do the following:

A. Configure the Zscaler service as a relying party trust

In ADFS, a relying party is a Federation Service or application that requests and consumes claims from a claims provider in a particular transaction. Complete the following steps to add Zscaler as a relying party trust.

In the ADFS 3.0 Management window, open the Trust Relationships > Relying Party Trusts folder. In the Actions menu on the right, click Add Relying Party Trust.

When the Add Relying Party Trust wizard appears, click Start.

The wizard steps are listed on the column on the left.

In Select Data Source, choose Import data about the relying party from a file,and click Next.

Enter a Display name for the Zscaler service, such as Admin SAML Zscaler-Beta, and then click Next.

Allow the wizard to run through the next three steps (Choose Profile, Configure Certificate, Configure URL, and Configure Identifiers).

In Configure Multi-factor Authentication Now?, select I do not want to configure multi-factor authentication settings for this relying party trust at this time,and then click Next.